Fix plugin view names being able to escape the plugin root directory.

Remove the ability to specify completely arbitrary view files. This is possibly a breaking change. However, I feel the risks out weigh the benefits in this situation. Now absolute paths must be located *within* a configured view path.
cakephp · Nov 2, 2015 · 0d3541c · 0d3541c
1 parent 3d7c826
commit 0d3541c
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 8 deletions.
diff --git a/src/View/View.php b/src/View/View.php
@@ -888,9 +888,6 @@ protected function _getViewFileName($name = null)
             $name = $viewPath . $subDir . Inflector::underscore($name);
         } elseif (strpos($name, DS) !== false) {
             if ($name[0] === DS || $name[1] === ':') {
-                if (is_file($name)) {
-                    return $name;
-                }
                 $name = trim($name, DS);
             } elseif (!$plugin || $this->viewPath !== $this->name) {
                 $name = $viewPath . $subDir . $name;

diff --git a/tests/TestCase/View/ViewTest.php b/tests/TestCase/View/ViewTest.php
@@ -355,11 +355,6 @@ public function testGetTemplate()
         $request->action = 'display';
         $request->params['pass'] = ['home'];
 
-        $ThemeView = new TestView(null, null, null, $viewOptions);
-        $expected = TEST_APP . 'Plugin' . DS . 'Company' . DS . 'TestPluginThree' . DS . 'src' . DS . 'Template' . DS . 'Pages' . DS . 'index.ctp';
-        $result = $ThemeView->getViewFileName('Company/TestPluginThree./Pages/index');
-        $this->assertPathEquals($expected, $result);
-
         $ThemeView = new TestView(null, null, null, $viewOptions);
         $ThemeView->theme = 'TestTheme';
         $expected = TEST_APP . 'TestApp' . DS . 'Template' . DS . 'Pages' . DS . 'home.ctp';
@@ -416,6 +411,34 @@ public function testPluginGetTemplate()
         $this->assertEquals($expected, $result);
     }
 
+    /**
+     * Test that plugin files with absolute file paths are scoped
+     * to the plugin and do now allow any file path.
+     *
+     * @expectedException Cake\View\Exception\MissingTemplateException
+     * @return void
+     */
+    public function testPluginGetTemplateAbsoluteFail()
+    {
+        $request = $this->getMock('Cake\Network\Request');
+        $response = $this->getMock('Cake\Network\Response');
+
+        $viewOptions = [
+            'plugin' => null,
+            'name' => 'Pages',
+            'viewPath' => 'Pages'
+        ];
+        $request->action = 'display';
+        $request->params['pass'] = ['home'];
+
+        $view = new TestView(null, null, null, $viewOptions);
+        $expected = TEST_APP . 'Plugin' . DS . 'Company' . DS . 'TestPluginThree' . DS . 'src' . DS . 'Template' . DS . 'Pages' . DS . 'index.ctp';
+        $result = $view->getViewFileName('Company/TestPluginThree./Pages/index');
+        $this->assertPathEquals($expected, $result);
+
+        $view->getViewFileName('Company/TestPluginThree./etc/passwd');
+    }
+
     /**
      * Test getViewFileName method on plugin
      *